HIPAA Omnibus: Compliance CountdownPrivacy, Security Experts Give Pre-Deadline Tips
With less than two months left until the Sept. 23 enforcement deadline for the HIPAA Omnibus Rule, several key milestones remain for covered entities and business associates to hit in their compliance efforts, say several privacy and security experts.
Among the tasks that should be close to getting crossed off the to-do-list: updating security and privacy policies and procedures to meet the new requirements; performing due diligence for business associate relationships; and updating breach response and notification plans.
HealthcareInfoSecurity reached out to several privacy and security experts for tips on what goals need to be accomplished now for covered entities and business associates to be compliant with HIPAA Omnibus by the Sept. 23 enforcement deadline. Among the pros who offered input were privacy attorneys Adam Greene and Kirk Nahra and security consultant Rebecca Herold.
When it comes to updating their information security and privacy policies and procedures to meet the new requirements, healthcare organizations and business associates should act swiftly, warns Herold, partner at Compliance Helper and CEO at The Privacy Professor, a consulting firm. Under HIPAA Omnibus, business associates and their subcontractors are directly liable for HIPAA compliance.
"If they don't have any documented policies and procedures - and a large portion of BAs still don't - then they need to ... establish documented information security and privacy policies and procedures customized to their organization, now," Herold says.
Those items range from how protected health information is handled to how suspected breaches are assessed.
"We recommend working on policies on new restrictions on uses and disclosures, such as sale of PHI or use of PHI for marketing, new policies on patient access to electronic information, and evaluating how to best operationalize restrictions on disclosures where persons pay out of pocket," says Greene of law firm Davis Wright Tremaine LLC.
Nahra, a partner at the law firm Wiley Rein LLP, recommends that leaders check in on the progress of their HIPAA Security compliance plan - especially if their organization is a business associate that has not had to comply before. But a quick review could be a good refresher for covered entities, too.
When giving your policies and procedures the once-over, confirm that any marketing programs are consistent with the new HIPAA rules, Nahra says. "If you are getting any payment to do marketing, be extra careful in your analysis."
Evaluate Business Associates
An important task that needs to be completed for all covered entities' and business associates' relationships, as well as business associate relationships with subcontractors, involves reviewing their contracts.
New BA relationships and contract renewals that were signed after the HIPAA Omnibus Rule was published in the Federal Register on Jan. 25 need to reflect Omnibus requirements by Sept 23, 2013. However, pre-existing BA contracts have until Sept. 23, 2014 to be modified.
"Right now, we recommend that covered entities and business associates use an updated business associate agreement if they enter into new contracts to avoid having to revise the contracts again by September," Greene says.
Organizations should ensure they have a plan for revising business associate agreements, says Nahra. Herold suggests checking out the business associate agreement template available on the Department of Health and Human Services' website for guidance.
Herold also recommends organizations send BAs their updated BA agreements sooner rather than later. "Get their signatures, and get it back before Sept. 23. This process can often take several weeks. So don't wait until Sept. 22 to send out the updated BA agreements; get them out now," she urges.
But before business associate agreements can be updated, organizations need to know who their business associates are, especially considering that, under Omnibus, the definition of BAs has been expanded as "an entity that creates, receives, maintains or transmits protected health information for a function or regulated activity," says attorney Stephen Wu, a partner at Cooke Kobrick & Wu LLP. As a result, more vendors, such as many cloud providers, are business associates that now must comply with HIPAA.
Certainly, due diligence for business associates needs to be done ASAP, including organizations identifying all their BAs, Herold says. Clients who use a BA tracker tool she makes available "are usually surprised to find they have more BAs than they thought they did, especially when considering the definition of a BA has expanded under Omnibus and the guidance provided by the HHS," she says.
Herold also recommends that covered entities provide their BAs with a checklist of expectations for HIPAA compliance. That should be much easier to read and understand than the actual business associate agreement, she says.
In addition to getting their BA relationships in order, organizations also need to make certain that their own staff is aware of changes that HIPAA Omnibus brings. Among those changes: allowing patients to keep private from insurers the treatments for which they've paid in cash, as well as knowing how to report suspected breaches to appropriate managers.
If they haven't already done so, organizations should provide all their personnel with information security and privacy training, particularly as it relates to HIPAA Omnibus, Herold says. "Then plan to provide ongoing awareness communications and activities, which are also required by HIPAA in addition to the more formal training," she says.
As the Sept. 23 deadline draws nearer, "re-evaluate your security breach plan and analyze how you will approach the different breach notification standard under the new HIPAA Omnibus rule," Nahra says.
That's also where the preparedness of workers is key. "Workforces will need to be trained and given further information on [breach] reporting and what's required," says Ellen Giblin, privacy counsel at the Ashcroft Law Firm in Boston. That will not only help compliance with HIPAA Omnibus' new breach notification requirements, but can also aid in breach prevention, which can get expensive. Under HIPAA Omnibus, enforcement penalties can range up to $1.5 million per HIPAA violation. A well-trained staff "can mitigate [an incident] while the breach is occurring in real time," she says. This can help "close up incidents and bring down liability" for covered entities, she adds.
But before staff can be trained, of course, organizations must make certain they've updated their breach response and notification processes to address the Omnibus Rule changes, Herold points out. "Those organizations that don't have such processes, which include a large portion of BAs, need to get them created now," she says.
Finally, in addition to ensuring that breach response and notification plans are updated, covered entities must also remember to have ready new patient privacy notices to issue.
"Covered entities that are required to provide a Notice of Privacy Practices, which includes the large majority of healthcare providers, need to make some significant changes to their NPPs that are in effect now, and must have the new versions in place," Herold says. Modifications to NPP should include an explanation of how patient data is used for marketing or fundraising as well as a description of patients' right to ask that treatments and services paid for in cash are not disclosed to insurers. "Covered entities must be providing the new NPP to their patients by the September 23 deadline," Herold says.